# Plan your deployment
<a name="plan-your-deployment"></a>

This section describes the cost, security, Region, and quota considerations for planning your deployment.

## Supported AWS Regions
<a name="supported-aws-regions"></a>

This solution uses AWS services that are not currently available in all AWS Regions. You must launch this solution in an AWS Region where these services are available. For the most current availability of AWS services by Region, refer to the [AWS Regional Services List](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

Account Assessment for AWS Organizations is supported in the following commercial AWS Regions, as well as GovCloud US-West:


| Region Name | Region Code | 
| --- | --- | 
|  Africa (Cape Town)  |  af-south-1  | 
|  Asia Pacific (Hong Kong)  |  ap-east-1  | 
|  Asia Pacific (Tokyo)  |  ap-northeast-1  | 
|  Asia Pacific (Seoul)  |  ap-northeast-2  | 
|  Asia Pacific (Osaka)  |  ap-northeast-3  | 
|  Asia Pacific (Mumbai)  |  ap-south-1  | 
|  Asia Pacific (Hyderabad)  |  ap-south-2  | 
|  Asia Pacific (Singapore)  |  ap-southeast-1  | 
|  Asia Pacific (Sydney)  |  ap-southeast-2  | 
|  Asia Pacific (Jakarta)  |  ap-southeast-3  | 
|  Asia Pacific (Melbourne)  |  ap-southeast-4  | 
|  Canada (Central)  |  ca-central-1  | 
|  Canada (Western)  |  ca-west-1  | 
|  Europe (Frankfurt)  |  eu-central-1  | 
|  Europe (Zurich)  |  eu-central-2  | 
|  Europe (Stockholm)  |  eu-north-1  | 
|  Europe (Milan)  |  eu-south-1  | 
|  Europe (Spain)  |  eu-south-2  | 
|  Europe (Ireland)  |  eu-west-1  | 
|  Europe (London)  |  eu-west-2  | 
|  Europe (Paris)  |  eu-west-3  | 
|  Israel (Tel Aviv)  |  il-central-1  | 
|  Middle East (UAE)  |  me-central-1  | 
|  Middle East (Bahrain)  |  me-south-1  | 
|  South America (Sao Paulo)  |  sa-east-1  | 
|  US East (N. Virginia)  |  us-east-1  | 
|  US East (Ohio)  |  us-east-2  | 
|  US West (Northern California)  |  us-west-1  | 
|  US West (Oregon)  |  us-west-2  | 

# Cost
<a name="cost"></a>

**Note**  
You are responsible for the cost of the AWS services used while running this solution. As of this revision, the cost for running this solution with the default settings in the US East (N. Virginia) Region is approximately **\$145 per month**, based on the assumptions in [Sample cost table](#sample-cost-table).  
Refer to the pricing webpage for each AWS service used in this solution.

We recommend creating a [budget](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-create.html) through [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/) to help you manage costs. Prices are subject to change. For full details, refer to the pricing webpage for each AWS service used in this solution.

## Sample cost table
<a name="sample-cost-table"></a>

The following table provides a sample cost breakdown for deploying this solution with the default parameters in the US East (N. Virginia) Region for one month.

The cost is based on the following assumptions:
+ You are assessing 100 AWS accounts in 10 AWS Regions
+ You are running each assessment type 30 times a month
+ In each account you have a total of 1,000 policies
+ You conduct on average 100 searches per month with the Policy Explorer
+ You are creating 1 Cognito user


| AWS service | Dimensions | Variable or fixed | Cost [USD] | 
| --- | --- | --- | --- | 
|  Amazon API Gateway  |  3,000 REST API calls per month  |  variable  |  <\$10.01  | 
|  Amazon Cognito  |  1 active user per month without the advanced security feature  |  variable  |  <\$10.01  | 
|  Amazon CloudFront  |  1,000 requests  |  variable  |  <\$11.00  | 
|  Amazon S3  |  <1 GB storage  |  variable  |  <\$11.00  | 
|  AWS Lambda  |  90,000 requests with 1,000 ms average duration  |  variable  |  <\$11.00  | 
|  AWS Step Functions  |  189,000 state transitions  |  variable  |  \$14.73  | 
|  Amazon DynamoDB  |  20 million read capacity units, 15 million write capacity units, 0.5 GB storage  |  variable  |  \$123.88  | 
|  AWS WAF  |  1 web ACL, 1 custom rule, 7 managed rule groups  |  fixed  |  \$113.00  | 
|  AWS X-Ray  |  \$1150 traces recorded (3,000 API calls with default 5% sampling rate)  |  variable  |  <\$10.01  | 
|  |  |   **Total monthly cost:**   |   **\$144.64**   | 

# Security
<a name="security"></a>

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit [AWS Cloud Security](https://aws.amazon.com/security/).

**Warning**  
Make sure to follow the guideline in the [AWS account structure section](aws-accounts.md) when choosing hub and spoke accounts to install the solution in.

## IAM roles
<a name="iam-roles"></a>

IAM roles allow you to assign granular access policies and permissions to services and users on the AWS Cloud. This solution creates IAM roles that grant the solution’s Lambda functions access to create Regional resources.

## Amazon CloudFront
<a name="amazon-cloudfront"></a>

This solution deploys a web console [hosted](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html) in an Amazon S3 bucket. To help reduce latency and improve security, this solution includes a CloudFront distribution with an origin access identity, which is a CloudFront user that provides public access to the solution’s website bucket contents. For more information, refer to [Restricting access to an Amazon S3 origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the *Amazon CloudFront Developer Guide*.

**Note**  
If you require Transport Layer Security (TLS) 1.2, you can configure a custom domain (also called an alternate domain name) in [CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html) and [API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html#apigateway-custom-domain-tls-version-how-to).

## Amazon DynamoDB
<a name="dynamodb-security"></a>

All user data stored in DynamoDB is encrypted at rest using encryption keys stored in AWS KMS. We recommend enforcing [AWS Managed Keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt) because they will allow you to audit key usage. Refer to [Managing encrypted tables in DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html) for more information.

## AWS WAF
<a name="aws-waf"></a>

AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It allows you to configure a web ACL that allows, blocks, or counts web requests based on configurable web security rules and conditions that you define. For more information, refer to [How AWS WAF Works](https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works.html).

You can use AWS WAF to protect your API Gateway API from common web exploits, such as SQL injection and XSS attacks. These types of attacks could affect API availability and performance, compromise security, or consume excessive resources. For example, you can create rules to allow or block requests from specified IP address ranges, requests from Classless Inter-Domain Routing (CIDR) blocks, requests that originate from a specific country or Region, requests that contain malicious SQL code, or requests that contain malicious script.

# AWS Account Structure
<a name="aws-accounts"></a>

Follow these guidelines when setting up accounts for each stack:

## Hub Account
<a name="hub-account"></a>

The Hub stack contains all compute and storage resources of the solution to facilitate scans. Select a member account within your AWS Organization to deploy the Hub stack. Since this account will have read access to resource names and policies in all spoke accounts, including bucket names and secret names, choose an account that you protect as carefully as the most sensitive target account you intend to scan.

Important: Avoid using the Organizations management account as your Hub account, as it’s best practice to keep the management account free from operational workloads.

## Spoke Accounts
<a name="spoke-accounts"></a>

Deploy the Spoke stack to any member account within your AWS Organization that requires assessment, including the Hub account itself. This stack consists of a single IAM role that grants read access to the policies of all supported services.

For efficient deployment across multiple AWS accounts, consider using CloudFormation StackSets.

## Organizations Management Account
<a name="organizations-management-account"></a>

The Org-Management stack must be deployed in your Organizations management account. This stack consists of a single IAM role that will be assumed by the Hub stack’s Lambda function and grants minimal required permissions to access data of the Organization. This role enables: - Reading account information (listing accounts and their parent relationships) - Reading Delegated Administrator configurations and their services - Viewing AWS service access settings for the Organization - Reading and listing Organization policies

# Quotas
<a name="quotas"></a>

Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account.

## Quotas for AWS services in this solution
<a name="quotas-for-aws-services-in-this-solution"></a>

Make sure you have sufficient quota for each of the [services implemented in this solution](aws-services.md). For more information, refer to [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html).

Select one of the following links to go to the page for that service. To view the service quotas for all AWS services in the documentation without switching pages, view the information in the [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-general.pdf#aws-service-information) page in the PDF instead.
+  [Lambda](https://docs.aws.amazon.com/general/latest/gr/lambda-service.html) 
+  [Step Functions](https://docs.aws.amazon.com/general/latest/gr/step-functions.html) 
+  [DynamoDB](https://docs.aws.amazon.com/general/latest/gr/ddb.html) 
+  [API Gateway](https://docs.aws.amazon.com/general/latest/gr/apigateway.html) 
+  [Amazon S3](https://docs.aws.amazon.com/general/latest/gr/s3.html) 
+  [Amazon CloudFront](https://docs.aws.amazon.com/general/latest/gr/cf_region.html) 
+  [Cognito](https://docs.aws.amazon.com/general/latest/gr/cognito_identity.html) 
+  [AWS WAF](https://docs.aws.amazon.com/general/latest/gr/waf.html) 
+  [AWS X-Ray](https://docs.aws.amazon.com/general/latest/gr/xray.html) 

## AWS CloudFormation quotas
<a name="aws-cloudformation-quotas"></a>

Your AWS account has [AWS CloudFormation](https://aws.amazon.com/cloudformation/) quotas that you should be aware of when [launching the stack](step-2-launch-the-spoke-stack.md) in this solution. By understanding these quotas, you can avoid limitation errors that would prevent you from deploying this solution successfully. For more information, refer to [AWS CloudFormation quotas](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html) in the in the *AWS CloudFormation Users Guide*.

## AWS Lambda quotas
<a name="aws-lambda-quotas"></a>

In the hub account, the Step Function invokes up to 100 Lambda functions to run the scan in parallel across multiple accounts and services. [Review](https://docs.aws.amazon.com/servicequotas/latest/userguide/gs-request-quota.html) and [increase](https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html) your Lambda funtion’s concurrency limit to avoid throttling.

## AWS Step Functions quotas
<a name="aws-step-functions-quotas"></a>

A Step Function execution failure can occur due to maximum input or output size for a task, state, or execution quota of 262,144 bytes of data as a UTF-8 encoded string, or maximum execution history size of 25,000 events in a single state machine execution history. For example:
+  **Scenario 1** - You scan resources in 25 supported services with a maximum of 100 accounts in a job. If you increase the number of accounts, you will reach maximum execution history size of 25,000 events.
+  **Scenario 2** - You scan 8,000 accounts with a maximum of 3 services in a job. If you add more accounts, you will reach maximum input or output size for a task, state, or execution quota of 262,144 bytes of data.

To avoid reaching the quota for large-scale scans, we recommend that you define your batch size (number of accounts • number of services) per scan.